Skip to content

Commit

Permalink
Because there is only one realm field in the kdc request, the KDC
Browse files Browse the repository at this point in the history 
remaps WELLKNOWN/ANONYMOUS@realm to
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS.

In the client pkinit plugin, do not require that the anonymous realm be used for the anonymous principal.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23494 dc483132-0cff-0310-8789-dd5450dbe970
  • Loading branch information
hartmans committed Dec 23, 2009
1 parent 4b7f315 commit c76e133
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 1 deletion.
16 changes: 16 additions & 0 deletions src/kdc/do_as_req.c
View file
Expand Up @@ -389,6 +389,22 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
enc_tkt_reply.caddrs = request->addresses;
enc_tkt_reply.authorization_data = 0;

/* If anonymous requests are being used, adjust the realm of the client principal*/
if (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS) {
if (!krb5_principal_compare_any_realm(kdc_context, request->client,
krb5_anonymous_principal())) {
errcode = KRB5KDC_ERR_BADOPTION;
status = "Anonymous requested but anonymous principal not used.";
goto errout;
}
krb5_free_principal(kdc_context, request->client);
errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(),
&request->client);
if (errcode) {
status = "Copying anonymous principal";
goto errout;
}
}
/*
* Check the preauthentication if it is there.
*/
Expand Down
2 changes: 1 addition & 1 deletion src/plugins/preauth/pkinit/pkinit_identity.c
View file
Expand Up @@ -505,7 +505,7 @@ pkinit_identity_initialize(krb5_context context,
int i;

pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx);
if (!krb5_principal_compare (context, princ, krb5_anonymous_principal())) {
if (!krb5_principal_compare_any_realm (context, princ, krb5_anonymous_principal())) {
if (idopts == NULL || id_cryptoctx == NULL)
goto errout;

Expand Down

0 comments on commit c76e133

Please sign in to comment.